The pandemic and GDPR: what you should do.
An insight into how to mitigate against privacy risks caused by the pandemic.
How will the pandemic affect your GDPR compliance?
– You must now take steps to minimise transmission and exposure. Personal data is vital to monitor and enforce isolation, trace contacts and test.
– Moving business online increases your reliance on personal data.
What has the ICO said?
In brief, “business as usual” but that they will be pragmatic and flexible in the circumstances. Roughly translated:
– Where you have good compliance measures in place but breach the GDPR due to the pandemic, you are unlikely to be fined.
– Where the pandemic exposes bad compliance practice, you are more likely to be fined.
The following compliance measures are likely to be tested:
(1) Special category personal data (“SCPD”)
Health information is a type of SCPD and you will use more of it. When you collect and use SCPD, you must have an “appropriate policy document” (“APD”) in place. You should amend your APD:
– to reflect the lawful conditions you will rely on (i.e. employment/social protection law, vital interests, public heath and preventative/occupational medicine); and
– to contain a new pandemic-specific retention period (i.e. currently unknown and awaiting further guidance, to be reviewed regularly).
(2) What information can we collect and share?
We recommend the following overview strategy:
– In general, be more cautious than usual as you must prioritise public health, but this isn’t carte blanche to ask excessive or intrusive questions.
– For now, you will likely be fine to ask for confirmation of symptoms, contact with infected individuals or quarantine/self-isolation; recent travel and generalise residence information (to check exposure to infection clusters).
– Share information as necessary, but implement protocols according to the sensitivity of the information. A general warning that an employee has displayed symptoms is you will likely be fine without identifying the employee, but sharing names/health information in individual circumstances (for example sickness / bereavement leave) should be subject to confidentiality, need-to-know and password-access protocols.
(3) Data security breaches are more likely
People are working and interacting online in unprecedented numbers and ways. Systems facilitating this will be stress-tested in ways their designers and operators never anticipated, and we have already seen evidence of cyber criminals circling. Data security breaches, tightly regulated by the GDPR, will occur.
The ICO will expect you to have:
– stress-tested relevant systems (such as remote working software and online payment facilities);
– an effective data security incident policy which sets out to employees how to recognise breaches, who to inform, investigation and mitigation steps, and when to notify the ICO and affected individuals. This is particularly useful: the most common cause of security breach is human error.
– Consider implementing/amending other compliance measures, like information security policies, computer use policies and organisational email policies.
We also recommend reviewing downstream contracts with suppliers processing personal data on your behalf to ensure you are protected against shared data security risks.
(4) Transparency and accuracy
Do your privacy notices (public and employee) account for types of information you now need to collect and ways you now need to use it? Amend if not.
Data accuracy is more important because retaining inaccurate information is harmful not just to individual privacy but also our national response. Review information you store related to the pandemic more often than you normally would to ensure it remains accurate.
(5) Subject access requests
As more individuals are laid off, more individuals are likely to make SARs to find evidence of your non-compliance with very new law. Stress-test your SAR compliance structure, especially for multiple simultaneous requests.
Comply with current SARs as normal, but consider whether you have a genuine need to rely on 2-month compliance extensions in case of complex (i.e. due to depleted resources / prioritisation) or multiple requests or agreeing an informal delay with the requester.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: firstname.lastname@example.org